Changing password through Kerberos/ Kerberos Error codes
rra at stanford.edu
Mon Apr 8 12:20:12 EDT 2013
Arpit Srivastava <arpit.orb at gmail.com> writes:
> 1. Before prompting the user to change the password, I want to check
> whether the password is about to expire or not. My server is Windows AD
> and I have set the password lifetime to be 2 days (which is less than 7
> day as per Windows standard for sending the password expiry
> notification). For that, I have registered a callback in
> krb5_get_init_creds_password but what is happening is callback api is
> being called again and again. And TGT is fetched in the background. What
> could be the reason for this ? Moreover, no message/banner is coming in
> prompt callback function which is unexpected.
The krb5_get_init_creds_password callback, if you're referring to what I
think you're referring to, is intended for prompting, not for intercepting
messages from the KDC (although it can also do the latter). If you
provide a prompting function, you'll have to deal with the prompts (such
as passwords). But I'm not sure I understand what you're explaining; more
details might be helpful.
> 2. I made the password to expire on my Windows account. and now checking
> the krb5 error code returned by krb5_get_init_creds_password. Ideally,
> it should come out to be KRB5KDC_ERR_KEY_EXP butwhat I am getting is
> KRB5KDC_ERR_NEVER_VALID . What could be the reason for this behavior.
That error message supposedly means that you requested a negative lifetime
for the ticket.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev